search

radareorg / radare2

UNIX-like reverse engineering framework and command-line toolset
https://www.radare.org/
GNU Lesser General Public License v3.0
20.73k stars 3.01k forks source link

binaries crash r2 on 'aaa' with jmptbl set to true #5889

Closed pinkflawd closed 8 years ago

pinkflawd commented 8 years ago

Ran a test script (see below) on a malware dump and found three binaries that crash r2, on cmdline as well as through pipe, when anal.jmptbl = true is set. 

import r2pipe
import sys
r2 = r2pipe.open(sys.argv[1])

r2.cmd("e anal.jmptbl = true")

r2.cmd("aaa")
r2.quit()

breaks_aaa_w_jmptbl.zip

pinkflawd commented 8 years ago

asan.sh crash log on the 57b8c2f5cfeaca97da58cfcdaf10c88dbc2c987c436ddc1ad7b7ed31879cb665 binary:

ASAN:SIGSEGV
=================================================================
==23369==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f58824204aa bp 0x7fffa925a590 sp 0x7fffa9259d20 T0)
    #0 0x7f58824204a9  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x474a9)
    #1 0x7f58800ea79e in search_reg_val /home/kevin/radare2/libr/anal/fcn.c:327
    #2 0x7f58800ef7cf in fcn_recurse /home/kevin/radare2/libr/anal/fcn.c:935
    #3 0x7f58800eea91 in fcn_recurse /home/kevin/radare2/libr/anal/fcn.c:819
    #4 0x7f58800f0bc1 in r_anal_fcn /home/kevin/radare2/libr/anal/fcn.c:1102
    #5 0x7f58820129cc in core_anal_fcn /home/kevin/radare2/libr/core/anal.c:475
    #6 0x7f5882019664 in r_core_anal_fcn /home/kevin/radare2/libr/core/anal.c:1282
    #7 0x7f5881f20c77 in cmd_anal_calls /home/kevin/radare2/libr/core/cmd_anal.c:3137
    #8 0x7f5881f2c031 in cmd_anal_all /home/kevin/radare2/libr/core/cmd_anal.c:4493
    #9 0x7f5881f2ddbf in cmd_anal /home/kevin/radare2/libr/core/cmd_anal.c:4789
    #10 0x7f588200b0dd in r_cmd_call /home/kevin/radare2/libr/core/cmd_api.c:210
    #11 0x7f5881f929a7 in r_core_cmd_subst_i /home/kevin/radare2/libr/core/cmd.c:1882
    #12 0x7f5881f8d959 in r_core_cmd_subst /home/kevin/radare2/libr/core/cmd.c:1263
    #13 0x7f5881f8dbf6 in r_core_cmd_subst /home/kevin/radare2/libr/core/cmd.c:1285
    #14 0x7f5881f96840 in r_core_cmd /home/kevin/radare2/libr/core/cmd.c:2370
    #15 0x7f5881f973d1 in r_core_cmd0 /home/kevin/radare2/libr/core/cmd.c:2507
    #16 0x55ff175ca749 in run_commands /home/kevin/radare2/binr/radare2/radare2.c:322
    #17 0x55ff175cdd28 in main /home/kevin/radare2/binr/radare2/radare2.c:975
    #18 0x7f587cb4aabf in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20abf)
    #19 0x55ff175c92e8 in _start (/home/kevin/radare2/binr/radare2/radare2+0x62e8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==23369==ABORTING
alvarofe commented 8 years ago

Fixed in master. @oddcoder take a look why the name of reg is null whether is normal or not.